Closed Bug 1306506 Opened 9 years ago Closed 9 years ago

Hit MOZ_CRASH(Invalid vartype) at js/src/asmjs/AsmJS.cpp:1101

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: gkw, Assigned: sunfish)

References

Details

(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
39.36 KB, text/plain
Details
wasm-asmjs-block-signature.patch
3.73 KB, patch
luke
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision f7d5008ee2ab (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): f = (function(stdlib, foreign, heap) { "use asm"; function f() { 1, 1 / 0 }, new SharedArrayBuffer(4096) ); Backtrace: 0 js-dbg-64-dm-clang-darwin-f7d5008ee2ab 0x0000000103c848fa CheckExpr((anonymous namespace)::FunctionValidator&, js::frontend::ParseNode*, Type*) + 9066 (AsmJS.cpp:1101) 1 js-dbg-64-dm-clang-darwin-f7d5008ee2ab 0x0000000103c80dad CheckAsExprStatement((anonymous namespace)::FunctionValidator&, js::frontend::ParseNode*) + 61 (AsmJS.cpp:6379) 2 js-dbg-64-dm-clang-darwin-f7d5008ee2ab 0x0000000103c7b6c1 CheckStatement((anonymous namespace)::FunctionValidator&, js::frontend::ParseNode*) + 209 (AsmJS.cpp:6397) 3 js-dbg-64-dm-clang-darwin-f7d5008ee2ab 0x0000000103c6c5bb CheckFunctions(ModuleValidator&) + 4635 (AsmJS.cpp:7086) 4 js-dbg-64-dm-clang-darwin-f7d5008ee2ab 0x0000000103c474d8 CheckModule(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, unsigned int*) + 5272 (AsmJS.cpp:7337) /snip For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/958074f3b830 user: Dan Gohman date: Fri Sep 23 09:13:15 2016 -0500 summary: Bug 1287220 - Baldr: update to binary version 0xc (r=luke) Dan, is bug 1287220 a likely regressor?
Blocks: 1287220
Flags: needinfo?(sunfish)
Yes.
Assignee: nobody → sunfish
Flags: needinfo?(sunfish)
This adds a new method for converting from asm.js Type to wasm::ExprType that handles non-canonical types, for the purpose of computing block signatures.
Attachment #8796361 - Flags: review?(luke)
Comment on attachment 8796361 [details] [diff] [review] wasm-asmjs-block-signature.patch Review of attachment 8796361 [details] [diff] [review]: ----------------------------------------------------------------- Nice and explicit.
Attachment #8796361 - Flags: review?(luke) → review+
Pushed by dgohman@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1a61d8bf5b3d OdinMonkey: Don't require canonicalizable types when computing block signatures. r=luke
https://hg.mozilla.org/mozilla-central/rev/1a61d8bf5b3d
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: